Hi all,

I am playing with limiting client access to certain subdirectories of cephfs running latest 12.2.4 and latest centos 7.4 kernel, both using kernel client and fuse

I am following http://docs.ceph.com/docs/luminous/cephfs/client-auth/:

/To completely restrict the client to the //|bar|//directory, omit the root directory/



When I mount this directory with fuse, this works. When I try to mount the subdirectory directly with the kernel client, I get

/mount error 13 = Permission denied /

This only seems to work when the root is readable.

--> Is there a way to mount subdirectory with kernel client when parent in cephfs is not readable ?

Then I checked the data pool with rados, but I can list/get/.. every object in the data pool using the client.foo key.

I saw in the docs of master http://docs.ceph.com/docs/master/cephfs/client-auth/ that you can add a tag cephfs, but if I add this I can't write anything to cephfs anymore, so I guess this is not yet supported in luminous.

--> Is there a way to limit the cephfs user to his data only (through cephfs) instead of being able to do everything on the pool, without needing a pool for every single cephfs client?


ceph-users mailing list

Reply via email to